Standards and Policies on Packer Use

Standards and Policies on Packer Use

For those people who missed my presentation at Virus Bulletin this year, I co-presented on the topic of "proper" packer usage. The idea of a “proper” way to use packers is two-fold:

(a) It reduces the prevalence of legitimate packers being used to pack malware.

(b) It makes it easier to identify packers which exist only to pack malware.

This is an industry-wide initiative, with backing from over a dozen security companies, including McAfee, Symantec, IBM, and Trend Micro. It also has the backing of some big packer vendors: Enigma, Obsidium, Oreans (the makers of Themida), and VMPSoft (the makers of VMProtect), but it's not limited to the people who sell packers - open-source packers will be supported, too. To quell any concerns, it's not being run by the anti-malware industry - we're just participants. The IEEE is in charge of it all.

Why do it at all? Imagine this situation: Alice is a packer vendor. She sells her product to Bob. Carol is an anti-malware vendor, and she also sells her product to Bob. Then along comes Dave, the malware author, who manages to steal Bob's copy of Alice's product, and uses it to pack malware. Carol now needs a way to identify the malware that is packed using Bob's stolen packer. How? Introducing "taggants."

A "taggant" is a block of data that can be used to identify a packer family, and protect a unique packer license ID, among other things. You might compare taggants to watermarks, which are another form of encoded unique identifier, but taggants provide their identifier information in a cryptographically secure fashion. That block of identifying data is protected by a strong cryptographic algorithm. If a packer includes a taggant in the packed file, then anti-malware software can know immediately if the packed sample was produced by a legitimate packer, or if that copy of the packer was stolen. If the packer was stolen, then the packed file could be immediately prevented from executing. The file doesn't even need to be unpacked to determine that, so the check is fast!

Best of all, the system will be free for all packer vendors to use, and it's completely transparent to the users.

Are you a packer vendor and want to sign on? For more information, you can review our VB 2010 presentation (.PPT), or you can read a paper I’ve co-authored on standards and policies (.PDF) for packer use available from the Microsoft website.